b'                     OFFICE OF\n             THE INSPECTOR GENERAL\n                   U.S. NUCLEAR\n             REGULATORY COMMISSION\n\n\n\n                Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n                         OIG-05-A-13      June 7, 2005\n\n\n\n\n                      AUDIT REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                          June 7, 2005\n\n\n\n\nMEMORANDUM TO:              Luis A. Reyes\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum/RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\xe2\x80\x99S TELECOMMUNICATIONS\n                            PROGRAM (OIG-05-A-13)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, Audit of\nNRC\xe2\x80\x99s Telecommunications Program.\n\nThis audit found that improvements are needed to strengthen controls over the\nuse of the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) telecommunications services\nand the physical security of NRC telecommunications systems. Specifically,\nNRC\xe2\x80\x99s telecommunications program oversight does not ensure that:\n\n   \xc2\xbe Employees and contractors are using NRC\xe2\x80\x99s telephone system\n     appropriately and that phone bills are accurate.\n   \xc2\xbe Employees are consistently using the Government calling card for long-\n     distance calls while on official travel.\n   \xc2\xbe The agency\xe2\x80\x99s secure cell phone users are receiving the best possible\n     coverage to meet their needs.\n   \xc2\xbe Physical security requirements are enforced pertaining to telephone\n     equipment closets.\n\nDuring an exit conference held May 18, 2005, the agency generally agreed with\nthe findings and recommendations in this audit report and provided comments\nconcerning the draft audit report. We modified the report as we determined\nappropriate in response to these comments. NRC reviewed these modifications\nand opted not to submit formal written comments to this final version of the\nreport.\n\nIf you have any questions, please call Beth Serepca at 415-5911 or me at\n415-5915.\n\nAttachment: As stated\n\x0cDistribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nWilliam N. Outlaw, Acting Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research, State\n  and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n   and Administration, and Chief Information Officer, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nFrank J. Congel, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Acting Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                                              Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nEXECUTIVE SUMMARY\n\nBACKGROUND\n\n             The Nuclear Regulatory Commission\xe2\x80\x99s (NRC) telecommunications\n             program includes local and long-distance voice services, voicemail,\n             videoconferencing, and personnel communications equipment\n             (e.g., calling cards, cell phones). The Office of Information\n             Services (OIS) provides overall guidance and direction for the\n             agency\xe2\x80\x99s non-secure telecommunications systems and equipment.\n             The Office of Nuclear Security and Incident Response manages\n             NRC\xe2\x80\x99s secure telecommunications systems and equipment. This\n             audit focused primarily on the agency\xe2\x80\x99s non-secure\n             telecommunications systems, although auditors also reviewed the\n             agency\xe2\x80\x99s use of secure cell phones.\n\nPURPOSE\n\n             The audit objectives were to evaluate (1) controls over the use of\n             NRC telecommunications services and (2) the physical security of\n             NRC telecommunications systems.\n\nRESULTS IN BRIEF\n\n             Improvements are needed to strengthen controls over the use of\n             NRC\xe2\x80\x99s telecommunications services and the physical security of\n             NRC telecommunications systems. NRC\xe2\x80\x99s telecommunications\n             program oversight does not ensure that:\n\n             \xc2\xbe Employees and contractors are using NRC\xe2\x80\x99s telephone system\n               appropriately and that phone bills are accurate.\n             \xc2\xbe Employees are consistently using the Government calling card\n               for long-distance calls while on official travel.\n             \xc2\xbe The agency\xe2\x80\x99s secure cell phone users are receiving the best\n               possible coverage to meet their needs.\n             \xc2\xbe Physical security requirements are enforced pertaining to\n               telephone equipment closets.\n\n             Appropriate Usage Is Not Ensured\n\n             NRC\xe2\x80\x99s telecommunications program oversight does not ensure that\n             employees and contractors are using NRC\xe2\x80\x99s telephone system\n             appropriately and that phone bills are accurate. Specifically,\n\n             \xc2\xbe OIS performs subjective and limited billing reviews that do not\n               fulfill the requirements in MD and Handbook 2.3.\n\n\n                                       i\n\x0c                                  Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n\xc2\xbe OIS does not conduct sufficient inventories to ensure that all\n  phone lines and circuits for which NRC pays each month are\n  used and necessary.\n\xc2\xbe OIS does not restrict use of the headquarters toll-free number in\n  accordance with MD and Handbook 2.3 requirements.\n\nAs a result, the agency cannot determine if vendor charges are\naccurate and fails to control the use of telecommunications services\nby employees and contractors.\n\n       Calling Card Is Not Used Consistently Agencywide\n\nMany employees do not use the Government calling card to make\npermitted phone calls home while on official travel although the\ncalling card is the agency\xe2\x80\x99s preferred vehicle for making these calls.\nThis failure to rely on the calling card occurs because OIS has not\nbeen effective in communicating the preference for calling card use\nto employees and because NRC allows an alternative but more\ncostly means for calling home. As a result, NRC is needlessly\nspending roughly $31,600 per year more than is necessary to pay\nfor travelers\xe2\x80\x99 telephone calls home.\n\n       Secure Cell Phone Coverage Is Unreliable\n\nNRC secure cell phone users may not be receiving the best\ndomestic secure cell phone coverage available today. This is\nbecause NRC opted to purchase cell phones and service that allow\ninternational coverage even though this may not be the best choice\nfor domestic coverage. As a result, these cell phones have failed to\nprovide connectivity in several situations where users wanted\nsecure calling capability. NRC needs to reevaluate available\noptions and allow users to select the option that best meets their\ncoverage and service needs.\n\n       Unsecured Telephone Closets in Headquarters and at\n       Technical Training Center\n\nAuditors found unsecured telephone equipment closets at NRC\nheadquarters and at the Technical Training Center. In\nheadquarters, three telephone closets were found either unlocked\nor opened. This was because NRC has not effectively enforced the\nrequirement to keep the doors locked and has not clearly conveyed\nto security guards the requirement to check these doors daily. At\nthe Technical Training Center, the telephone closet is not secured\n\n\n\n\n                           ii\n\x0c                                            Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n          because managers allowed the telephone closet to remain behind\n          an unlocked bi-fold closet door. In either case, agency telephone\n          systems and other equipment maintained in these locations are\n          vulnerable to tampering.\n\nRECOMMENDATIONS\n\n          A consolidated list of recommendations appears on pp. 25-26 of\n          this report.\n\nAGENCY COMMENTS\n\n          During an exit conference held May 18, 2005, the agency generally\n          agreed with the findings and recommendations in this audit report\n          and provided comments concerning the draft audit report. We\n          modified the report as we determined appropriate in response to\n          these comments. NRC reviewed these modifications and opted not\n          to submit formal written comments to this final version of the report.\n\n\n\n\n                                     iii\n\x0c                       Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               iv\n\x0c                                  Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       FTS     Federal Telecommunications System\n\n       GSA     U.S. General Services Administration\n\n       MD      Management Directive\n\n       NIST    National Institute of Standards and Technology\n\n       NRC     U.S. Nuclear Regulatory Commission\n\n       OIG     Office of the Inspector General (NRC)\n\n       OIS     Office of Information Services (NRC)\n\n       PBX     private branch exchange\n\n       TTC     Technical Training Center\n\n       WITS    Washington Interagency Telecommunications System\n\n\n\n\n                           v\n\x0c                       Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               vi\n\x0c                                                               Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nTABLE OF CONTENTS\n\n    EXECUTIVE SUMMARY............................................................................. i\n    ABBREVIATIONS AND ACRONYMS ........................................................ v\n    I. BACKGROUND .................................................................................... 1\n    II. PURPOSE ............................................................................................ 4\n    III. FINDINGS............................................................................................. 5\n    A. Telecommunications Services Oversight Is Inadequate ....................... 5\n\n             A.1       Headquarters Billing Reviews Do Not Meet\n                       Requirements ....................................................................... 5\n             A.2       Routine Telephone Line and Circuit Inventories\n                       Are Not Conducted ............................................................... 9\n             A.3       Headquarters Does Not Restrict Use of Its Toll-\n                       Free Number....................................................................... 11\n\n    B. Calling Card Is Not Used Consistently Agencywide............................ 14\n\n    C. Secure Cell Phone Coverage Is Unreliable......................................... 17\n\n    D. Unsecured Telephone Closets in Headquarters and at Technical\n       Training Center ................................................................................... 20\n\n             D.1.      Headquarters Closets Were Found Unsecured .................. 20\n             D.2.      Technical Training Center \xe2\x80\x93 Open Access to the Telephone\n                       Closet ................................................................................. 23\n\n    IV. AGENCY COMMENTS....................................................................... 24\n    V. CONSOLIDATED LIST OF RECOMMENDATIONS ........................... 25\n\n\n\n    APPENDIXES\n\n             A.      SCOPE AND METHODOLOGY ............................................ 27\n             B.      PHYSICAL SECURITY MEASURES FOR REGIONAL PBX\n                     SWITCHES ........................................................................... 29\n\n\n\n\n                                                   vii\n\x0c                       Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              viii\n\x0c                                                         Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nI. BACKGROUND\n\n\n                  NRC\xe2\x80\x99s telecommunications program is fundamental to the agency\xe2\x80\x99s\n                  mission to protect public health and safety and the environment\n                  while maintaining an open regulatory process. It is essential that\n                  NRC staff have dependable tools and services to enable\n                  communication internally and with government and industry officials\n                  24 hours a day, 7 days a week. In this way, NRC can also ensure\n                  that important information is communicated to the public in an\n                  effective, efficient, and timely fashion.\n\n                  Telecommunications Program\n\n                  NRC\xe2\x80\x99s telecommunications program is composed of all NRC\n                  telecommunications systems, including local and long-distance\n                  voice services, voicemail, videoconferencing, and personnel\n                  communications equipment (e.g., calling cards, cell phones). OIS\n                  provides overall guidance and direction for the agency\xe2\x80\x99s regular\n                  (i.e., non-secure) telecommunications systems and equipment.\n                  The Office of Nuclear Security and Incident Response manages\n                  NRC\xe2\x80\x99s secure telecommunications systems and equipment. This\n                  audit focused primarily on the agency\xe2\x80\x99s non-secure\n                  telecommunications systems, although auditors also reviewed the\n                  agency\xe2\x80\x99s use of secure cell phones.\n\n                  Program management and oversight for the agency\xe2\x80\x99s non-secure\n                  telecommunications systems and equipment is largely\n                  decentralized. Headquarters provides operational and\n                  administrative support for its systems and services, and the regions\n                  oversee most aspects of their telecommunications programs. An\n                  exception is long-distance service, which headquarters manages\n                  for the entire agency. In headquarters, the Infrastructure and\n                  Computer Operations Division, Computer Operations and\n                  Telecommunications Branch, OIS, provides telecommunications\n                  support and oversight. In each regional office, the Information\n                  Resources Branch provides this function.1 Region II provides\n                  support and oversight for the Technical Training Center.\n\n\n\n\n1\n    In Region IV, this office is the Information Resources and Management Branch.\n\n\n                                                 1\n\x0c                                   Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nNRC headquarters, regional offices, and the Technical Training\nCenter have different local service contracts, but share the same\ncontract for long-distance service. Local telephone service for\nheadquarters is provided through the Washington Interagency\nTelecommunications System contract (WITS2001) with the General\nServices Administration (GSA). Each region and the Technical\nTraining Center has procured its own local telephone service with\nproviders in its vicinity. Agency long-distance service is provided\nthrough the Federal Telecommunications System contract\n(FTS2001) with GSA.\n\nOIS staff are working to revise Management Directive (MD) and\nHandbook 2.3, Telecommunications, dated January 22, 1993. MD\nand Handbook 2.3 provide agencywide policies and procedures for\nuse of the agency\xe2\x80\x99s telecommunications infrastructure. OIS\nmanagers decided not to finalize the revision until completion of this\naudit to ensure that the updated telecommunications guidance\naddresses issues raised in the audit report.\n\nComputerized Telephone Switches\n\nHeadquarters and the regions have different levels of control over\nthe telephone switches used to manage their calls. These switches\nare of two different types, one a private branch exchange (PBX)\nand the other a Centrex. Both systems are computer-based\ndevices that can be thought of as small telephone companies. A\ntelephone switch includes a computer processor with memory that\nallows the owning entity\xe2\x80\x99s telecommunications staff to manage\ntelephone call transfers. The PBX is usually housed and\nmaintained by the owning entity (e.g., Government agency,\ncompany) specifically for its own use as in the case of regional\noffices I and III. The Centrex switch is usually housed and\nmaintained by the local telephone company and services many\ncustomers.\n\nA Centrex telephone switch, owned and operated by Verizon,\nunder a contract with GSA, allows GSA to manage telephone calls\nto and from Headquarters. Telephone lines are run by the service\nprovider from the offsite switch to the headquarters buildings\xe2\x80\x99 main\ntelephone demarcation rooms to service the offices within. These\nlines are then extended from the lower level demarcation rooms\nvertically to telephone closets located on all floors of each building,\nexcluding the lobby level, using building cable which is maintained\nby the NRC telecommunications staff. These extensions are then\nrun horizontally from the closets to specific office spaces where the\ncorresponding telephone numbers are assigned.\n\n\n\n                            2\n\x0c                                  Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nRegions I, III, and IV own and maintain their telephone switches.\nRegion II has use of a GSA telephone switch as part of its office\nspace lease agreement. The Technical Training Center (TTC) uses\nGSA-provided Centrex service from a telephone switch owned by\nthe Bell South telephone company.\n\nAccording to the National Institute of Standards and Technology,\nPBX switch protection is a high priority because unprotected PBX\nswitches make users susceptible to toll fraud, disclosure of\nsensitive information through eavesdropping, and inconsistent\nservice. The Department of Homeland Security issued a Homeland\nSecurity Information Bulletin on June 3, 2003, to alert PBX users\nabout an increase in the number of compromised PBXs and\ntelephone voice mail systems. The bulletin warns users that these\nintrusions allowed unauthorized users to make long-distance\ndomestic and international telephone calls at the PBX owner\xe2\x80\x99s\nexpense. The intruders were also able to make similar connections\nto Internet service providers.\n\nFY 2003 and FY 2004 Telecommunications Costs\n\nFY 2003 and FY 2004 telecommunications costs for headquarters\nand the regions are displayed in the following table.\n\n              Telecommunications Costs\n Locations            FY 2004          FY 2003\n Headquarters          $5,028,000       $5,824,000\n Region I                 229,000          155,000\n Region II                317,000          335,000\n Region III               217,000          257,000\n Region IV                306,000          352,000\n TTC                       42,000           43,000\n Total                 $6,139,000       $6,966,000\n\nHeadquarters costs include agency long-distance charges and\ncharges for local phone service, voicemail, voice/data infrastructure\nand support, cell phones, pagers, videoconferencing, and the NRC\nMessage Center services provided by headquarters operators.\nRegional costs include local and resident site dial tone charges, cell\nphones, pagers, and other items, but do not include long-distance\ncharges as these are paid for by headquarters.\n\n\n\n\n                           3\n\x0c                                           Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n         Cell Phones\n\n         OIS pays for and manages most of the cell phones issued to\n         headquarters employees for business purposes, and each region\n         pays for and manages the cell phones it issues to its employees.\n         NRC is currently exploring a plan to reimburse employees for\n         official use of personal cell phones. On November 16, 2004, the\n         Office of General Counsel stated it had no legal objections to a\n         recent proposal submitted jointly by OIS and the Office of the Chief\n         Financial Officer on this subject. According to the proposal, NRC is\n         considering to offer three service level plans to designated\n         employees. Service plan assignments would be based on the\n         agency\xe2\x80\x99s determination of the minimum service level each\n         employee would need to fulfill his or her job duties.\n\n         Secure Cell Phones\n\n         The Office of Nuclear Security and Incident Response manages the\n         agency\xe2\x80\x99s secure telecommunications systems and equipment,\n         including secure cell phones. During FY 2002 and FY 2003,\n         officials from that office purchased 20 secure cell phones at a total\n         cost of approximately $43,580. Service costs for these phones\n         totaled approximately $19,600 in FY 2004 and are expected to be\n         similar during FY 2005. Between January and February 2004, the\n         office purchased 20 more secure cell phones.\n\n\nII. PURPOSE\n\n\n         The audit objectives were to evaluate (1) controls over the use of\n         NRC telecommunications services and (2) the physical security of\n         NRC telecommunications systems. Appendix A contains\n         information on the audit scope and methodology.\n\n\n\n\n                                    4\n\x0c                                                Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nIII. FINDINGS\n\n            Improvements are needed to strengthen controls over the use of\n            NRC\xe2\x80\x99s telecommunications services and the physical security of\n            NRC telecommunications systems. Specifically, NRC should\n\n            \xc2\xbe Improve headquarters oversight of telecommunications services\n              with regard to billing reviews, use of agency toll-free numbers,\n              and telephone line and circuit inventories.\n\n            \xc2\xbe Ensure more consistent use by travelers of the FTS calling card\n              for long-distance calls.\n\n            \xc2\xbe Provide additional service options for the agency\xe2\x80\x99s secure cell\n              phone users to improve coverage.\n\n            \xc2\xbe Enforce physical security requirements pertaining to telephone\n              equipment closets.\n\nA.   Telecommunications Services Oversight Is Inadequate\n\n         OIS telecommunications program oversight does not ensure that\n         employees and contractors are using NRC\xe2\x80\x99s telephone system\n         appropriately and that phone bills are accurate. Specifically,\n\n         1. OIS performs subjective and limited billing reviews that do not fulfill\n            the requirements in MD and Handbook 2.3.\n\n         2. OIS does not conduct sufficient inventories to ensure that all phone\n            lines and circuits for which NRC pays each month are used and\n            necessary.\n\n         3. OIS does not restrict use of the headquarters toll-free number in\n            accordance with MD and Handbook 2.3 requirements.\n\n         As a result, the agency cannot determine if vendor charges are\n         accurate and fails to control the use of telecommunications services by\n         employees and contractors.\n\n         A.1 Headquarters Billing Reviews Do Not Meet Requirements\n\n                   Billing Review Guidance\n\n         MD and Handbook 2.3 contain various provisions for a cost-effective\n         telecommunications program. These provisions require (1) employees\n         to use Government telecommunications services responsibly and in\n\n\n                                        5\n\x0c                                                        Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n            accordance with requirements, (2) managers to provide oversight to\n            ensure that services are used appropriately, and (3) OIS staff to\n            conduct billing reviews to ensure that costs align with services\n            received. 2 MD and Handbook 2.3 provisions:\n\n            \xc2\xbe Prohibit employees from making personal long-distance and\n              international calls at the Government\xe2\x80\x99s expense.\n\n            \xc2\xbe Limit employee use of Government telephone systems to official\n              business and certain limited unofficial purposes (e.g., brief,\n              infrequent personal calls that could not reasonably be made at\n              another time).\n\n            \xc2\xbe Require regional administrators and headquarters office directors to\n              review and validate records of long-distance calls provided by OIS\n              and initiate administrative action to collect reimbursement for\n              unofficial calls.\n\n            \xc2\xbe Require OIS to conduct a monthly review of telephone call detail\n              records to improve use of the telephone system and reduce overall\n              cost.\n\n            \xc2\xbe Require OIS to randomly sample cell phone bills on a monthly basis\n              and forward the bills to the appropriate office director for approval.\n\n                        Billing Reviews are Limited\n\n                OIS performs subjective and limited billing reviews that do not fulfill\n                the requirements in MD and Handbook 2.3. As noted in the\n                Background section of this report, OIS oversees local service for\n                headquarters and long-distance service for the entire agency.\n\n                OIS staff responsible for examining the local and long-distance bills\n                employ subjective methods for their review and said the bills are\n                difficult to review in depth because they are voluminous.3 These\n                staff said they rely on their experience and general knowledge of\n                the telecommunications program to determine if monthly charges\n                appear reasonable, but that it is difficult to know for certain that the\n                charges are appropriate. They said they consider cost trends and\n\n2\n  MD and Handbook 2.3 assign this and other telecommunications responsibilities to the Office of\nthe Chief Information Officer. This office was renamed on February 1, 2005, to the Office of\nInformation Services.\n3\n  OIG reviewed local and long-distance bills from October 2002 through September 2004 and\nnoted that these bills, which do not reflect cell phone calls, are composed of thousands of\nindividual calling charges as well as various service costs that vary from month to month. During\nthis time frame, local charges for headquarters averaged $68,761.33 per month and agency long-\ndistance charges averaged $105,212.79 per month.\n\n\n                                               6\n\x0c                                  Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nlarge variations in monthly cost. They contact vendors to learn why\nsuch changes occur and seek bill adjustments, if appropriate.\nHowever, the staff do not use any specific benchmarks \xe2\x80\x93 or dollar\namounts \xe2\x80\x93 to alert them when a monthly bill appears questionable.\nInstead, they review only those charges that they subjectively\ndetermine to be questionable, and they do not review call detail\nrecords to identify questionable usage by employees and\ncontractors. In addition, they do not provide long-distance call\ndetail records to regional administrators and office directors as\nrequired by MD and Handbook 2.3.\n\nFurthermore, OIS staff make no specific effort to review\ninternational calls to assess whether employees are making such\ncalls appropriately. Information on international calls is included in\nthe long-distance monthly bills, but staff do not review these\nrecords. Compounding this is the fact that headquarters operators\nplace international calls whenever requested by headquarters staff.\nThe operators are not required to ascertain whether the calls are for\nofficial purposes and have never challenged a request for an\ninternational call. Although the operators maintain a handwritten\nlog of international calls, no one reviews the log to assess whether\nthese calls are legitimate.\n\nIn addition, OIS managers do not randomly sample cell phone bills\non a monthly basis and provide the bills to office directors, as\nrequired by MD and Handbook 2.3. OIS receives support from a\ncontractor tasked to review the headquarters cell phone bills for\ntrends and make recommendations for cost-effective service plan\nadjustments. However, the contractor does not look for possible\nmisuse of services and only inconsistently fulfills requests from\noffices to provide their bills for review on a monthly basis.\n\n       OIS Lacks Computer Software for Improved Approach\n\nOIS performs subjective and limited billing reviews because OIS\nmanagement (1) does not require staff to adhere to the\nrequirements in MD and Handbook 2.3 and (2) believes OIS lacks\nthe computer software for a more rigorous approach. Furthermore,\nas currently written, the draft revision of MD and Handbook 2.3 will\nbe inadequate to ensure an appropriate level of control over the\nprogram.\n\nOIS telecommunications managers did not require adherence to\nthe MD and Handbook 2.3 bill review requirements partly because\nthey were unaware that current bill review practices were not in\nalignment with agency requirements. However, they also defended\n\n\n\n                           7\n\x0c                                                       Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n               the current approach, noting that in the years since the guidance\n               was approved, local and long-distance rates have dropped, making\n               time-consuming reviews of call detail records less necessary than\n               in the past. They said it is primarily up to agency managers to\n               ensure that employees are not misusing the phones (e.g., spending\n               inordinate amounts of time making personal phone calls while at\n               work). OIG finds it illogical that OIS would impose this expectation\n               on managers without providing the resources (i.e., call detail\n               records) needed to perform the task. If agency managers are to\n               ensure employee accountability with regard to telephone usage, it\n               is essential that managers receive the call detail records for their\n               offices on a regular basis.\n\n               The OIS managers said that although they would prefer a more\n               rigorous review process, they lack telecommunications billing\n               review software4 to perform indepth bill reviews each month or to\n               provide office directors and regional administrators with the call\n               detail records for their jurisdictions. Without computer software,\n               they said, manual efforts are too cumbersome and would not be\n               cost-beneficial. OIS managers said they have actively pursued the\n               purchase of such software even prior to the start of this audit.\n\n               In addition, as currently written, the proposed draft revision of MD\n               and Handbook 2.3 will be inadequate to ensure the necessary level\n               of control over employee use of telecommunication services. OIG\n               reviewed the draft and noted that it contained weaker oversight\n               provisions than those in the existing guidance. For example, the\n               draft revision of MD and Handbook 2.3 requires office directors and\n               regional administrators to review and validate records of usage\n               provided by OIS and initiate administrative action to collect\n               reimbursement for unauthorized usage, but only \xe2\x80\x9cwhere appropriate\n               and economically feasible.\xe2\x80\x9d The current version of MD and\n               Handbook 2.3 does not contain this type of caveat and therefore\n               assures more control over employee use of the services. Similarly,\n               the draft version requires OIS to provide information on usage\n               \xe2\x80\x9cwhen appropriate and economically feasible.\xe2\x80\x9d\n\n\n\n\n4\n  Various companies provide telecommunication expense management solutions that allow\nFederal agencies to proactively manage, optimize, and validate their telecommunications\ninfrastructure and bills. Typically, this involves downloading or inputting charges into an\nautomated database to facilitate review and then running reports to assess whether charges are\nappropriate and accurate. Vendors claim these solutions are extremely cost-beneficial and more\nthan pay for themselves in costs recouped by users.\n\n\n                                              8\n\x0c                                                        Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n                        Inappropriate Usage and Charges Not Identified\n\n                As a result of the existing subjective and limited billing review\n                process, NRC lacks assurance that vendor charges are appropriate\n                and accurate and fails to ensure appropriate use of\n                telecommunications services by employees. Because long-\n                distance and local call detail records are not reviewed, it is easy for\n                employees and contractors to misuse the agency\xe2\x80\x99s\n                telecommunication resources. As an example of inadvertent\n                misuse, auditors identified that 5,855 local long-distance calls were\n                made between December 2, 2002, and July 28, 2004, from NRC\xe2\x80\x99s\n                voicemail system to a contractor\xe2\x80\x99s unused pager. These calls cost\n                NRC $751.71. While this figure is minimal in comparison with the\n                agency\xe2\x80\x99s telecommunications budget, it makes clear that NRC\xe2\x80\x99s\n                billing review process is ineffective to identify a large number of\n                unwarranted calls and suggests that other potential cases of\n                wasted expense could be overlooked.\n\n                A.2 Routine Telephone Line and Circuit Inventories Are Not\n                    Conducted\n\n                        Inventory Requirements\n\n                Routine inventories of telephone lines and circuits for which NRC\n                pays a recurring monthly charge are essential to ensure that all\n                these lines and circuits are used and necessary.5 Although MD\n                and Handbook 2.3 require NRC to conduct annual physical\n                inventories of telecommunications equipment for which the agency\n                pays a recurring charge to assure that vendor billing invoices tally\n                with existing equipment, there is no similar requirement to inventory\n                agency phone lines and circuits, which are viewed as services and\n                not equipment.\n\n                        Routine Inventories Are Not Conducted\n\n                OIS does not conduct routine inventories of the 5,388 phone lines\n                and approximately 54 circuits that run through headquarters and for\n                which NRC pays recurring monthly charges. According to an OIS\n                staff member responsible for managing the headquarters telephone\n                lines and circuits, the last thorough inventory of telephone lines was\n                conducted about 4 or 5 years ago. This inventory did not include a\n                review of telephone circuits. According to the OIS staff member,\n\n5\n According to an OIS staff member, telephone lines are used primarily to carry voice service,\nwhile telephone circuits are high-capacity conduits with greater bandwidths and speeds used to\nsupport data communications for systems such as internetwork communications or\nvideoconferencing.\n\n\n                                               9\n\x0c                                   Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nmonthly charges for individual telephone lines range from about\n$7.50 to $17, while the charge for individual circuits ranges from\nabout $200 to $2,000 per month. During FY 2004, NRC incurred\ncosts of $731,367.21 for headquarters telephone lines. The\namount spent on circuits during the same period is unknown to\nOIS, according to the OIS employee. Based on the figures the OIS\nemployee provided (approximately 54 circuits, costing NRC\nbetween $200 and $2,000 apiece per month), OIG estimates that\nNRC spent at least $130,000 for telephone circuits during FY 2004.\n\nWhile the OIS staff member continually tracks changes and\nadditions to telephone lines by updating a database with this\ninformation, there is no comparable database of telephone circuits.\nIn addition, no proactive effort is made to identify telephone lines or\ncircuits that are no longer in use or needed by the agency. Lines\nand circuits become unused when, for example, a system\nconnection is terminated or an employee leaves the agency.\nWithout conducting inventories of the telephone lines and circuits,\nthe staff member said, there is no assurance that NRC is using all\nthe services for which it pays. Furthermore, the staff member said,\nOIS does not know exactly how many circuits NRC has or the exact\namount it pays for these connections.\n\n       Inventory Requirements Are Needed\n\nNRC is not conducting routine inventories of NRC telephone lines\nand circuits because there is no requirement to do so.\nTelecommunications staff agreed with OIG that routine inventories\nof the telephone lines would be a good business practice and a\nmeans to ensure that NRC is paying for needed services only;\nhowever, they said they lack the resources to perform such\ninventories and to review usage records to identify unused circuits\nand telephone lines.\n\n       Accuracy of Bills Is Unknown\n\nWithout conducting routine inventories of telephone lines and\ncircuits, the agency cannot know whether its telephone bills\naccurately reflect the services for which the agency pays month\nafter month.\n\n\n\n\n                           10\n\x0c                                    Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nA.3 Headquarters Does Not Restrict Use of Its Toll-Free\n    Number\n\n       Guidance on Toll-Free Numbers\n\nNRC headquarters and regional offices provide toll-free numbers to\ntheir staff to use while on travel. According to MD and Handbook\n2.3, the headquarters \xe2\x80\x9c800 service\xe2\x80\x9d (toll-free number) is to be used\nby travelers to contact their offices.\n\nMD and Handbook 2.3 are silent concerning regional office use of\ntheir region\xe2\x80\x99s toll-free numbers, but state that the directive and\nhandbook must be followed by all headquarters and regional\nemployees.\n\nHeadquarters is responsible for paying for all of NRC\xe2\x80\x99s long-\ndistance charges, including calls made via the toll-free numbers.\nDuring FY 2004, NRC paid $40,668 for toll-free calls. According to\nan OIS official, this total was based on a rate of 2 cents per minute\nof use.\n\n       Headquarters Usage Does Not Match Guidance\n\nWhile each of NRC\xe2\x80\x99s four regional offices restricts use of their toll-\nfree numbers primarily to calls terminating at their offices, this is not\nthe case in headquarters. In headquarters, toll-free calls are\nanswered by NRC operators, who connect callers with numbers\ninside and outside of headquarters. Operators said they were\npermitted to connect travelers with their homes as well as\nheadquarters numbers, but stated that many requested\nconnections are not to home or headquarters numbers. They said\nthey sometimes ask callers for their badge numbers to ensure they\nare speaking with an NRC employee. They also may inquire about\nthe call\xe2\x80\x99s purpose to assure that it is for official business. However,\nthey said they would not turn down a connection request.\n\nIn three of the regional offices, however, toll-free number calls are\nconnected only to numbers within the regional offices.\nSubsequently, even employee requests to be connected to an NRC\nresident inspector at a nuclear power plant would be denied. In the\nremaining region, toll-free callers are connected to regional office\nnumbers and to licensee sites, but not to any other numbers.\n\n\n\n\n                            11\n\x0c                                  Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n      Policy Not Enforced\n\nHeadquarters operators connect toll-free callers to numbers outside\nof headquarters because OIS management has not required\noperators to enforce the MD and Handbook 2.3 requirements.\nHowever, OIS managers expressed differing views on whether this\npractice was appropriate. Two managers said this practice should\nbe allowed because there are occasions where travelers may need\nto get in touch with non-headquarters numbers for official purposes.\nThey said using the toll-free number in this manner is sometimes\nthe most cost-effective way to facilitate local and long-distance\ncalling. For example, it may cost NRC less for operators to connect\nlong-distance callers to numbers outside of headquarters than for\ncallers to use the commercial telephones in their hotels. A different\nmanager disagreed and said travelers should use the FTS calling\ncard (see page 14 for description) to make long-distance calls and\nnot go through the operators. This manager pointed out that the\ntoll-free connections cannot be tracked to ensure they were made\nfor official business purposes, while calling card usage can be\nreviewed.\n\n      Agency Cannot Ensure Official Usage\n\nBy permitting headquarters operators to freely connect toll-free\ncallers to local and long-distance numbers outside of headquarters,\nOIS cannot ensure that the service is being used for official agency\nbusiness only. NRC could be incurring charges for toll-free\nconnections made for unofficial purposes and has no way to assess\nwhether this is so. While there may be circumstances where\nheadquarters and regional toll-free callers should be permitted to\nmake outside connections, these circumstances need to be well-\ndefined and oversight and enforcement need to be performed.\n\nSummary\n\nNRC needs to ensure that employees and contractors are using\nNRC\xe2\x80\x99s telephone system appropriately and phone bills accurately\nreflect services received. By improving its billing review methods,\nupdating inventory requirements, and clarifying and enforcing its\npolicy concerning usage of its toll-free numbers, NRC will increase\nits control over telecommunications services and their cost\nagencywide.\n\n\n\n\n                          12\n\x0c                                 Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n1. Purchase and implement billing review software to assist in\n   implementing a cost-effective, comprehensive\n   telecommunications billing review process.\n\n2. Establish benchmarks for determining if telecommunications\n   charges are accurate and appropriate.\n\n3. Revise MD and Handbook 2.3 to include effective management\n   controls over headquarters staff use of agency\n   telecommunications services.\n\n4. Establish requirements for routinely conducting inventories of\n   telephone lines and circuits for which the agency pays monthly\n   recurring charges, assessing usage of these telephone lines\n   and circuits, and making adjustments to account for unneeded\n   telephone lines and circuits.\n\n5. Define and enforce appropriate use of agency toll-free numbers.\n\n\n\n\n                         13\n\x0c                                               Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nB.   Calling Card Is Not Used Consistently Agencywide\n\n            Many employees do not use the Government calling card to make\n            permitted phone calls home while on official travel although the\n            calling card is the agency\xe2\x80\x99s preferred vehicle for making these calls.\n            This failure to rely on the calling card occurs because OIS has not\n            been effective in communicating the preference for calling card use\n            to employees and because NRC allows an alternative but more\n            costly means for calling home. As a result, NRC is needlessly\n            spending roughly $31,600 per year more than is necessary to pay\n            for travelers\xe2\x80\x99 telephone calls home.\n\n                   Calling Card Guidance\n\n            According to MD and Handbook 2.3, long-distance service via the\n            FTS network should be used to avoid excessive telephone call\n            expense whenever practicable. One feature of the FTS long-\n            distance contract is the Government calling card, which allows\n            employees to make long-distance calls without operator assistance\n            through the FTS network while on official travel. Employees may\n            use the cards while on official travel to make business calls and to\n            make brief calls to their families. The FTS calling card is similar to\n            commercial calling cards in that employees may dial in to the\n            service from any commercial telephone, enter a code, and then dial\n            the number to which they wish to be connected. According to OIS\n            managers, long-distance calls made using the calling card cost the\n            same (2 cents per minute) as all long-distance calls made over the\n            FTS network.\n\n            Information concerning calling card use also appears in some\n            regional policies and in hardcopy headquarters telephone\n            directories. For example, Region IV guidance directs that all official\n            calls from outside the office should be made using the Government\n            calling card. Region III guidance encourages staff to use the card\n            when making personal calls home in lieu of toll calls, calls billed to\n            hotel rooms, or collect calls while on travel status.\n\n            Although the calling card is the preferred method of long-distance\n            calling for employees on travel, MD and Handbook 2.3 also note\n            that employees traveling for 2 or more nights on Government\n            business may be reimbursed up to $4 per day for a brief (defined\n            as \xe2\x80\x9capproximately 5 minutes\xe2\x80\x9d) call home.\n\n\n\n\n                                       14\n\x0c                                                         Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n                The current revised draft of MD and Handbook 2.3 does not offer\n                the $4 per day option, but allows employees traveling and incurring\n                lodging costs a brief (defined as \xe2\x80\x9cnot to exceed 30 minutes per\n                day\xe2\x80\x9d) call per day to their residence, preferably using the calling\n                card.\n\n                        Calling Card Use Not Consistent\n\n                Many NRC employees are not using the Government calling card to\n                call home while on travel and are instead requesting\n                reimbursements for calls made while they are on travel status. OIG\n                auditors reviewed 1,123 travel vouchers processed by the Office of\n                the Chief Financial Officer during September 2004 and found that\n                the agency was paying an average of $147.50 each day to\n                reimburse travelers for phone calls home. The $147.50 was\n                composed primarily of $4 per day charges.6 Based on this review,\n                auditors estimated that NRC could save about $31,600 each year\n                by requiring travelers to use the Government calling card wherever\n                possible.7\n\n                Furthermore, there is no documentation to ensure that employee $4\n                per day claims for calls home reflect actual use. However, long-\n                distance call detail records do track calling card use and therefore\n                provide a means of ensuring accountability by users.\n\n                        Better Communication Needed\n\n                OIS has not effectively communicated to employees the agency\xe2\x80\x99s\n                preference for calling card use for calls made home while on official\n                travel. Furthermore, NRC allows employees an alternative way to\n                call home that is more costly.\n\n                While OIS has issued 1,413 calling cards to employees, not all\n                travelers possess them and the office does not actively advertise\n                their availability. According to an OIS staff member, in the past,\n                information concerning calling card availability was conveyed to\n\n\n\n\n6\n  While most employees claimed $4 per day for calls made home while on travel, a limited\nnumber claimed amounts less than $4.\n7\n  Auditors derived the $31,600 figure by multiplying $147.50 by 252 (i.e., average number of\nworking days per year) and then multiplying the total by 85 percent. This reduction was made to\nallow for the fact that the revised MD and Handbook 2.3 anticipate that travelers will make 30-\nminute calls home each day, which, at a rate of 2 cents per minute, would cost the agency about\n$.60 per day of travel. Use of the calling card would allow the agency to save about 85 percent of\nthe $4 it now pays out for a call home each day of travel.\n\n\n                                               15\n\x0c                                   Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\noffice information technology coordinators (who are responsible for\nmaking requests to OIS for calling cards) in the past. However,\ninformation on calling cards has not been conveyed recently to\ninformation technology coordinators.\n\nFurthermore, OIS has not tried other methods to inform employees\nabout calling cards. Such methods could include placing notices\nabout calling card availability at the headquarters travel office or\nalerting Office of the Chief Financial Officer staff to notify\nemployees whose vouchers include $4 per day reimbursement\nrequests that the calling cards are available.\n\nFinally, even if travelers are aware of the calling card option, they\nmay not make the effort to acquire a card because NRC allows all\nemployees the option to submit $4 per day telephone claims.\n\n       NRC Is Spending More Than Necessary\n\nBy not requiring employees to use the Government calling card to\nmake appropriate calls home while on official travel, NRC is\nspending approximately $31,600 per year more than necessary.\nThe agency also misses an opportunity to collect call detail\ninformation on these calls to ensure that charges are appropriate.\nOIS needs to (1) take a proactive approach and inform employees\nabout the availability and benefits of using the calling cards and (2)\nrequire use of the cards by employees in most travel situations.\nExceptions could be made for infrequent travelers.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n6. Develop and implement a communications plan to better inform\n   employees about the availability and benefits of using calling\n   cards.\n\nOIG recommends that the Chief Financial Officer:\n\n7. Discontinue the $4 per day reimbursement option and issue\n   calling cards instead.\n\n\n\n\n                           16\n\x0c                                              Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nC.   Secure Cell Phone Coverage Is Unreliable\n\n            NRC secure cell phone users may not be receiving the best\n            domestic secure cell phone coverage available today. This is\n            because NRC opted to purchase cell phones and service that allow\n            international coverage even though this may not be the best choice\n            for domestic coverage. As a result, these cell phones have failed to\n            provide connectivity in several situations where users wanted\n            secure calling capability. NRC needs to reevaluate available\n            options and allow users to select the option that best meets their\n            coverage and service needs.\n\n                  Secure Cell Phones\n\n            According to MD and Handbook 12.4, NRC Telecommunications\n            Systems Security Program, classified or sensitive unclassified voice\n            telecommunications should be transmitted over protected systems\n            to the maximum degree possible. As part of this program, the\n            agency has a limited number of secure cell phones to facilitate\n            secure conversations from locations where secure telephones are\n            unavailable.\n\n            The National Security Agency approves all cryptographic systems\n            and techniques used by the Federal Government. Therefore,\n            according to an employee from the Office of Nuclear Security and\n            Incident Response (NSIR), the National Security Agency certifies\n            the secure cell phone technology and agencies must purchase\n            phones and services that use the certified technology.\n\n            MD and Handbook 12.4 predate the agency\xe2\x80\x99s purchase of secure\n            cell phones and do not specifically address this type of equipment.\n            OIG presumes, however, that NRC expects these cell phones to\n            offer the best coverage in as many locations as possible so that\n            they can facilitate connectivity whenever and wherever needed.\n\n            Furthermore, according to an NSIR employee, when the agency\n            initially purchased the secure cell phones, the intent was that\n            employees would use the secure cell phone as their main NRC cell\n            phone because the phone offers both secure and regular\n            communication capabilities.\n\n\n\n\n                                      17\n\x0c                                                    Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n                      Many Users Are Dissatisfied With Coverage\n\n               NRC secure cell phone users may not be receiving the best secure\n               cell phone coverage available today. OIG surveyed 198 employees\n               to whom secure cell phones were assigned and learned that most\n               were either dissatisfied with the coverage, unaware about coverage\n               because they had not tested it, or felt the coverage was inferior to\n               that offered by their regular cell phone. Only 3 of the 19 used the\n               secure cell phone as their primary agency cell phone. Of the 16\n               who did not use the secure cell phone as a primary phone, 15 had\n               a second agency cell phone that they used as their primary\n               business cell phone. The 16th employee opted to use a personal\n               cell phone for official business. Reasons provided for not using the\n               secure cell phone as a primary phone included problems with\n               coverage, concern over losing or damaging the secure cell phone,\n               and the perception that the cell phones were for emergency use\n               only.\n\n               In general, regional users were less aware of and less satisfied with\n               secure cell phone coverage than headquarters users. Only three of\n               five regional users had tested coverage of the secure cell phones,\n               and only one believed the coverage was comparable to the\n               employee\xe2\x80\x99s regular cell phone. Of 11 headquarters users, 7 had\n               tested coverage and 4 thought the coverage was comparable to\n               their regular cell phone. Of the 19 users, 6 shared their knowledge\n               of dead spots with other users and 1 documented this information\n               to share with others. Of those surveyed, only 2 had made an\n               international call. A third person had tried unsuccessfully to make\n               such a call.\n\n               NRC recently purchased an additional 20 secure cell phones,\n               costing $2,179 apiece, to use in headquarters and the regions.\n\n                      International Capability Has Impact On Domestic\n                      Coverage\n\n               Some secure cell phone users may not be receiving the best\n               coverage domestically because NRC opted to purchase phones\n               and service that allow international coverage \xe2\x80\x93 even though these\n               may not be the best choices for domestic coverage. According to\n               staff who were involved in the selection process in 2002, a primary\n\n\n\n8\n At the time the survey was conducted, NRC had assigned 20 phones to 19 employees (1\nemployee was assigned 2 phones). Of the 20 phones, 12 were assigned to headquarters\nemployees and 8 to regional employees.\n\n\n                                            18\n\x0c                                   Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nfactor was the interest by several individuals in being able to make\ninternational calls. However, 16 of 19 NRC secure cell phone users\nhave never attempted to place an international call with these\nphones and consequently failed to benefit from this feature.\n\nBecause NRC opted for secure cell phones and service that may\nnot be the best choice for domestic coverage, the phones failed to\nwork during several emergency exercises. During these exercises,\nusers were not successful in making desired connections even\nthough in at least one case the employee\xe2\x80\x99s regular cell phone could\nmake the connection. In an additional example of phone failure, an\nemployee could not get coverage using the secure cell phone\nduring a hurricane.\n\n       Coverage Could Be Improved\n\nBy selecting service plans for the regions and headquarters that\nprovide the best coverage for users in these different geographic\nlocations, NRC can better ensure that the secure cell phones\nprovide connectivity when needed. Furthermore, NRC should not\npurchase any additional secure cell phones without evaluating\nwhether it would be advantageous to select phones that do not\nallow international coverage, but which provide better coverage\ndomestically.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n8. Select secure cell phone service plans for the regions and\n   headquarters that provide the best coverage for users in these\n   different geographic locations.\n\n9. If additional secure cell phones are purchased, select phones\n   that will facilitate the best coverage for users in the regions and\n   in headquarters.\n\n\n\n\n                           19\n\x0c                                                              Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nD.    Unsecured Telephone Closets in Headquarters and at Technical\n      Training Center\n\n                 Auditors found unsecured telephone equipment closets at (1) NRC\n                 headquarters and (2) the Technical Training Center. In\n                 headquarters, three telephone closets were found either unlocked\n                 or opened. These headquarters closets were unsecured because\n                 NRC has not effectively enforced the requirement to keep the doors\n                 locked and has not clearly conveyed to security guards the\n                 requirement to check these doors daily. At the Technical Training\n                 Center, the telephone closet is not secured because managers\n                 allowed the telephone closet to remain behind an unlocked bi-fold\n                 closet door. In either case, agency telephone systems and other\n                 equipment maintained in these locations are vulnerable to\n                 tampering.9\n\n                 D.1      Headquarters Closets Were Found Unsecured\n\n                          Security Requirements\n\n                 NRC\xe2\x80\x99s telecommunications systems are subject to the physical\n                 security controls required by OMB Circular A-130, Appendix III,\n                 \xe2\x80\x9cSecurity of Federal Automated Information Resources.\xe2\x80\x9d These\n                 physical security requirements, detailed in MD and Handbook 12.5,\n                 NRC Automated Information Security Program, specify that\n                 telephone and wiring closets should be kept locked at all times\n                 when unattended and that access should be restricted to a limited\n                 number of accountable personnel.\n\n                 National Institute of Standards and Technology publications also\n                 emphasize the importance of physical security controls to prevent\n                 unauthorized access to telephone closets and PBX facilities.\n                 According to the Federal Agency Security Practices Agency IT\n                 Security Handbook, telephone-wiring closets should be kept locked\n                 and secured. National Institute of Standards and Technology\n                 requirements state that telephone closet doors should be secured\n                 with a cipher lock or suitable substitute at a minimum.\n\n                          Three Headquarters Closets Were Unsecured\n\n                 NRC headquarters telephone equipment closets were left\n                 unsecured and unattended in several locations in the NRC\n                 headquarters buildings.\n\n\n9\n Auditors also reviewed physical security measures employed in the regions to protect their telephone\nswitches. Appendix B contains information on these security practices.\n\n\n                                                    20\n\x0c                                                          Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n                Despite requirements to keep the telephone closets secured when\n                unattended, OIG found three unsecured doors during a physical\n                security inspection. These closets contain badge system wiring, air\n                conditioning components, and other equipment.\n\n                On December 14, 2004, the audit team performed an inspection of\n                the 43 telephone closets and 2 telephone equipment rooms in the\n                One and Two White Flint North headquarters buildings to ensure\n                that the telecommunications equipment was protected from\n                unauthorized access. Auditors noted that while each of the doors\n                protecting these areas had access control features,10 two telephone\n                closet doors in the One White Flint North building were unlocked\n                because the override buttons were enabled, preventing the bolt\n                from releasing to lock the doors. Auditors also found that a\n                telephone closet door in the Two White Flint North building was left\n                open for more than 2 hours on the day of the inspection. Auditors\n                checked this closet several times over the 2-hour period and noted\n                that no one was working inside or nearby. Furthermore, this closet\n                had been seen open and unattended on several prior occasions.\n\n                According to an OIS official, telecommunication contractors are\n                instructed to lock the telephone closet doors whenever their work\n                has been completed or they step out of the line of site of the doors.\n                This official said that the contractors are also reminded of this\n                policy whenever security guards inform OIS staff that security\n                guards found telephone closets unlocked during their security\n                checks. OIG notes that it is difficult at times to identify a specific\n                individual responsible for leaving the closets unlocked and\n                unattended because the closets are accessed by both\n                telecommunications and Division of Facilities and Security\n                contractors.11 However, the telecommunications services contract\n                requires contractors to adhere with NRC security requirements to\n                keep the telephone closet doors shut.\n\n\n\n\n10\n   Cipher locks are used to control access to the One and Two White Flint North telephone\nequipment closets. The headquarters badge access control system controls access to the two\ntelephone equipment rooms. These rooms have this added level of access control because they\nserve as the entry point for headquarters\xe2\x80\x99 5,388 telephone lines, which are used for employee\ntelephones, fax machines, modems, remote access to building management and security\nsystems, video and audio conferencing systems, computer systems, and systems for the hearing\nimpaired.\n11\n  Division of Facilities and Security contractors require access to the closets to perform work on\nthe headquarters badging system and air conditioning, which also run through the telephone\nclosets.\n\n\n                                                21\n\x0c                                  Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n      OIS Lacks Enforcement Method\n\nHeadquarters NRC telephone equipment closets were left\nunsecured because OIS lacks a method for ensuring that\ncontractors follow the security policy to keep the telephone closet\ndoors locked. Furthermore, the Office of Administration has not\nprovided clear guidance to NRC security guards on their\nresponsibility to routinely check these doors while conducting\npatrols.\n\nAlthough telecommunications contractors are reminded to lock the\ntelephone closet doors, and it is a contract requirement, OIS lacks\na method of enforcing this measure. OIG discussed this situation\nwith Office of Administration officials and learned that NRC could\nissue contractors security infractions for leaving the doors\nunlocked. A security infraction is an administrative action that NRC\ntakes when an employee or contractor fails to comply with NRC\nsecurity requirements. The issuance of three security infractions to\nany one contractor could result in the loss of his or her ability to\nwork as a contractor at NRC. The telecommunications contract\nwould need to be modified to note enforcement of security policies\nand the issuance of security infractions when telephone closet\ndoors are found unsecured. OIG also learned that NRC could fine\ncontractors for leaving the doors unsecured, provided the contract\nis modified to include such a provision.\n\nNRC\xe2\x80\x99s security guard contract requires roving security guards to\ncheck doors throughout the facility to ensure they are locked.\nHowever, the post order for roving guards does not state this\nspecifically, which weakens the agency\xe2\x80\x99s assurance that these\nchecks are occurring consistently and routinely. The post order\ndirects guards to check the computer room doors, but does not\nmention the telephone closets. An Office of Administration official\nsaid the computer closet check was specifically added to the post\norders because the guards need to check the temperature of the\nrooms to ensure they are not too hot. The inclusion of the\nrequirement to check the telephone closet doors will help to ensure\nthe security policies are being enforced.\n\n      Security Vulnerability\n\nWhen any telephone closet door in One or Two White Flint North is\nleft unsecured, the phone system for that particular floor is\njeopardized because of how the system is wired. Tampering with\n\n\n\n\n                          22\n\x0c                                  Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\ntelephone lines can expose the telephone phone switch to\npenetration by a hacker. Furthermore, the badging and the air\nconditioning systems are also vulnerable because they are also\nlocated in the telephone closets.\n\nD.2    Technical Training Center \xe2\x80\x93 Open Access to the\n       Telephone Closet\n\n       Security Requirement\n\nAs stated previously, MD 12.5 requires that telephone closets be\nlocked at all times and access to the telephone and wiring closets\nbe restricted to a limited number of accountable personnel.\n\n       One Closet Is Unprotected\n\nOne of the Technical Training Center\xe2\x80\x99s telephone equipment\nclosets is not appropriately protected. This closet is located behind\nan unsecured bi-fold door within a supply room that is kept open\nduring the workday for the convenience of the professors and staff.\nThe closet door has no locking mechanism to control the access to\nthe telephone lines.\n\n       Managers Did Not Enforce Agency Policy\n\nThe Technical Training Center telephone closet was not protected\nbecause managers failed to enforce agency security policy for the\nprotection of telephone and wiring closets.\n\n       Closet Is Vulnerable to Tampering\n\nUnauthorized access to the Technical Training Center\xe2\x80\x99s telephone\ncloset can allow for tampering and a disruption of telephone service\nthrough the manipulation of the telephone lines housed in the\ntelephone closet. As noted previously, tampering can expose the\ntelephone switch to penetration by hackers. While the Technical\nTraining Center\xe2\x80\x99s PBX is not located within the center\xe2\x80\x99s office suite,\nit does not diminish the need for the center\xe2\x80\x99s managers to protect\nthe telephone lines once they have entered Technical Training\nCenter office space.\n\nSummary\n\nNRC has not effectively enforced its security policy to keep\ntelephone closets locked when unattended. Three telephone\nclosets were found unsecured in the One and Two White Flint\n\n\n\n                          23\n\x0c                                            Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n        North buildings during a physical security inspection and the\n        telephone closet at the Technical Training Center is not protected\n        by a locking door. Failure to protect telephone lines exposes NRC\n        to toll fraud, disclosure of sensitive information, or the disruption of\n        service because the telephone switch becomes vulnerable to\n        penetration.\n\n        Recommendations\n\n        OIG recommends that the Executive Director for Operations:\n\n        10. Implement the existing security guard contract requirement to\n            ensure the telephone closet doors are checked throughout the\n            facility and add the requirement to check the telephone closet\n            doors to the security guard post orders.\n\n        11. Issue periodic written reminders to telecommunications\n            contractors, and to other contractors who require access to the\n            telephone closets, conveying the NRC security requirement to\n            keep the telephone closet doors locked when the closets are\n            unattended.\n\n        12. Impose penalties, such as security infractions or fines, on\n           individuals who do not adhere to the security requirement to\n           keep the telephone closet doors locked.\n\n        13. Install a locking door on the telephone closet within the\n            Technical Training Center office suite to prevent unauthorized\n            access to the telephone lines.\n\n\nIV. AGENCY COMMENTS\n\n        During an exit conference held May 18, 2005, the agency generally\n        agreed with the findings and recommendations in this audit report\n        and provided comments concerning the draft audit report. We\n        modified the report as we determined appropriate in response to\n        these comments. NRC reviewed these modifications and opted not\n        to submit formal written comments to this final version of the report.\n\n\n\n\n                                    24\n\x0c                                             Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n    OIG recommends that the Executive Director for Operations:\n\n          1.     Purchase and implement billing review software to assist in\n                 implementing a cost-effective, comprehensive\n                 telecommunications billing review process.\n\n          2.     Establish benchmarks for determining if telecommunications\n                 charges are accurate and appropriate.\n\n          3.     Revise MD and Handbook 2.3 to include effective\n                 management controls over headquarters staff use of agency\n                 telecommunications services.\n\n          4.     Establish requirements for routinely conducting inventories\n                 of telephone lines and circuits for which the agency pays\n                 monthly recurring charges, assessing usage of these\n                 telephone lines and circuits, and making adjustments to\n                 account for unneeded telephone lines and circuits.\n\n          5.     Define and enforce appropriate use of agency toll-free\n                 numbers.\n\n          6.     Develop and implement a communications plan to better\n                 inform employees about the availability and benefits of using\n                 calling cards.\n\n\n    OIG recommends that the Chief Financial Officer:\n\n          7.     Discontinue the $4 per day reimbursement option and issue\n                 calling cards instead.\n\n\n    OIG recommends that the Executive Director for Operations:\n\n          8.     Select secure cell phone service plans for the regions and\n                 headquarters that provide the best coverage for users in\n                 these different geographic locations.\n\n          9.     If additional secure cell phones are purchased, select\n                 phones that will facilitate the best coverage for users in the\n                 regions and in headquarters.\n\n\n\n\n                                     25\n\x0c                                  Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n10.   Implement the existing security guard contract requirement\n      to ensure the telephone closet doors are checked throughout\n      the facility and add the requirement to check the telephone\n      closet doors to the security guard post orders.\n\n11.   Issue periodic written reminders to telecommunications\n      contractors, and to other contractors who require access to\n      the telephone closets, conveying the NRC security\n      requirement to keep the telephone closet doors locked when\n      the closets are unattended.\n\n12.   Impose penalties, such as security infractions or fines, on\n      individuals who do not adhere to the security requirement to\n      keep the telephone closet doors locked.\n\n13.   Install a locking door on the telephone closet within the\n      Technical Training Center office suite to prevent\n      unauthorized access to the telephone lines.\n\n\n\n\n                         26\n\x0c                                         Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n                                                                      Appendix A\nSCOPE AND METHODOLOGY\n\n       Auditors reviewed NRC\xe2\x80\x99s telecommunications program to evaluate\n       (1) controls over the use of NRC telecommunications services and\n       (2) the physical security of NRC telecommunications systems.\n\n       Audit work excluded telecommunications associated with incident\n       response operations because this program was the subject of a\n       recent OIG review. Auditors assessed physical security measures\n       employed by headquarters, the regions, and the Technical Training\n       Center to protect their telephone equipment, but did conduct\n       penetration testing on agency telecommunications systems.\n       Penetration testing did not occur because anticipated assistance\n       from a National Security Agency telecommunications expert was\n       unavailable during the audit timeframe.\n\n       Auditors reviewed and analyzed Federal guidance, agency\n       directives, and security standards to establish the internal controls\n       over telecommunication services and requirements for the security\n       of the telecommunications system. A review of the draft MD and\n       Handbook 2.3 was performed to provide OIS staff with\n       recommendations for updating the instruction.\n\n       Auditors analyzed the feasibility of requiring employees to use\n       calling cards for calls home while on travel instead of claiming a $4\n       charge per day for 5-minute telephone calls home. Travel\n       reimbursements paid during the month of September 2004 were\n       reviewed to estimate the number of $4 reimbursements claimed for\n       telephone calls and the amount paid by the agency for calls home\n       made by employees on temporary duty travel.\n\n       Auditors performed a security inspection of headquarters, regional\n       office, and Technical Training Center telephone equipment rooms\n       and closets to assess protection provided to the\n       telecommunications equipment. Interviews of headquarters,\n       regional office, and Technical Training Center telecommunications\n       staff were conducted to learn about the management and\n       administration of the telecommunications program. In addition,\n       auditors interviewed agency security staff to determine the\n       implementation of security requirements with respect to the\n       telecommunications equipment.\n\n\n\n\n                                 27\n\x0c                               Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\nThis review was conducted from July 2004 to January 2005 in\naccordance with generally accepted Government auditing\nstandards. Internal control weaknesses have been noted and\nconsidered for reporting. The work was conducted by Beth\nSerepca, Team Leader; Shyrl Coker, Audit Manager; and Judy\nGordon, Audit Manager.\n\n\n\n\n                        28\n\x0c                                          Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n                                                                       Appendix B\n\n\nPHYSICAL SECURITY MEASURES FOR REGIONAL PBX\nSWITCHES\n\n        OIG found that each of the regions are implementing the physical\n        security and access controls required by the National Institute of\n        Standards and Technology (NIST) and MD and Handbook 12.5 for\n        the protection of the PBX telephone switches, therefore no\n        recommendations are made in this area. The telephone switches\n        are secured in locked equipment rooms, password controls are\n        exercised, and modems are kept disconnected to prevent\n        unauthorized remote access to the telephone switch. The\n        implementation of these physical security and access controls\n        protects the regions from vulnerabilities associated with the use of\n        unprotected telephone switches such as toll fraud, the theft of\n        proprietary, personal, and other sensitive information as well as\n        eavesdropping.\n\n        OIG was unable to perform penetration tests of NRC\xe2\x80\x99s\n        telecommunication system because of the unavailability of an\n        expert from the National Security Agency.\n\n        PBX Security Requirements\n\n        Security measures for PBX systems are issued in NIST Special\n        Publication 800-24 PBX Vulnerability Analysis. NIST specifically\n        stipulates that the PBX and its network equipment should be\n        secured to protect it from damage and unauthorized access or use\n        through the use of locked doors, automatic detection devices, and\n        positive identification and authentication controls. NIST guidance\n        further states that access to the PBX should be minimized to\n        include authorized personnel only, and that password management\n        is essential to good security. The passwords themselves should be\n        controlled so that they expire after a period of time. NIST further\n        warns that because PBXs typically require remote maintenance by\n        vendors, remote access should normally be blocked. These\n        physical security and access control measures are included in MD\n        and Handbook 12.5 and are provided on the Federal Agency\n        Security Practices web site for the application of Federal security\n        professionals.\n\n\n\n\n                                  29\n\x0c                                                Audit of NRC\xe2\x80\x99s Telecommunications Program\n\n\n\n              Regions Implemented Protections\n\n              The regions have either implemented all of the required PBX\n              protections or are using a PBX managed by another entity that has\n              implemented all of the suggested protections. Regions I, III, and IV\n              have possession of their own PBX telephone switches, and these\n              are directly managed by the regional Information Resources Branch\n              staff. Region II, located in a GSA-leased building, pays for the use\n              of GSA\xe2\x80\x99s PBX telephone switch as part of its lease agreement for\n              office space.\n\n\n              Physical Security and Access Controls Implemented\n\n              Maintained in     Password           Limited      Prevent\n              Locked Space      Controls           Access to    Remote\n                                                   PBX Software Access\n\nRegions I,    Card access       Passwords          2 to 3 people       Modems are\nIII, and IV   control systems   changed every      have access         physically\n              or key used to    30 to 90 days      to the PBX          disconnected\n              secure the PBX                       software\n\n\nRegion II     Alarmed doors     Passwords          Access is           Modems are\nthrough       with cameras      changed            limited to GSA      physically\nGSA                             periodically in    telephone           disconnected\n                                accordance with    technicians\n                                GSA                and their\n                                requirements       supervisor\n\n\n\n\n                                        30\n\x0c'